Opinion: Forget about Safe Harbor. Modernize global privacy law instead
There's a聽widening transatlantic divide regarding privacy rights that needs to be bridged 鈥 and soon.
But instead of coming up with another version of the data transfer agreement between the US and European Union known as Safe Harbor, we need a new set of global standards to build a聽common vision of privacy rights in the Digital Age.
That might sound unachievable and impractical to the聽more than 4,500 European and US firms that have relied on Safe Harbor for more than 15 years to聽transfer EU data stateside. But when聽the European Court of Justice invalidated that deal, in the aftermath of the Edward Snowden revelations that Europeans' data was subject to National Security Agency surveillance, it became clear that a single data agreement couldn't account for all the ways聽countries balance privacy, freedom of expression, and national security.
As Yale Law School Prof. James Whitman has argued,聽"in the law of privacy ... the contrast between Europe and the United States is stark and is growing starker."
What's more, it's becoming clear that European and US negotiators won't find a way to repair Safe Harbor before the Jan. 31 deadline that聽EU data protection authorities set for a new deal.听Without that revised arrangement to safeguard Europeans' data from US government snooping,聽EU regulators have threatened "mass enforcement of illegal data transfers" starting as early as February.
Even if negotiators reach a last-minute deal on Safe Harbor, it would still face legal challenges in the EU from both European citizens and data protection authorities questioning the deal鈥檚 adequacy.
But a new聽Safe Harbor is simply a Band-Aid. Instead, let's start a dialog to clarify and upgrade global privacy standards. Let's flesh out the right to privacy mentioned in the聽1948 Universal Declaration of Human Rights, which was expanded upon by the 1966 International Covenant on Civil and Political Rights (ICCPR) that has been signed by more than 160 nations including the US.
In particular, Article 17 of the ICCPR states, "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation."
We also need a new protocol in the convention,聽updating Article 17 to include the "digital sphere" so as to create "globally applicable standards for data protection and the protection of privacy in accordance with the rule of law."
The German government 鈥 notably German Federal Data Protection Officer Peter Schaar 鈥 has pushed this approach, which was by the International Conference of Data Protection and Privacy Commissioners in 2013. Its passage was notable both for its timing 鈥撀爌articipants have been calling for a treaty guaranteeing data protection and privacy as a human right since 2005 鈥 and the diverse array of participants involved include Japan, New Zealand, France, Slovenia, Ireland, Spain, Germany, Burkina Faso, Canada, and the US.
Only the US abstained in the final vote. That was a mistake. If the US were to support Germany and other nations' efforts, it would send a powerful message to both the EU and to the US tech sector that Washington is committed聽to modernizing international privacy law.
The German government has long that international privacy law has lagged behind digital realities, though the tenor of the debate changed following Mr. Snowden's leaks.听Still, privacy guidelines remain largely nonbonding. That is not to say that the situation has remained stagnant. The UN General Assembly took action in late 2013, passing a consensus resolution on 鈥淸t]he 鈥 affirming that human rights including privacy and freedom of expression apply online in a move that could contribute to a positive .
Without clarification, the utility of the ICCPR and human rights law generally to advancing global privacy law will continue to be undermined by spy agencies and private industry. But with renewed support, several ICCPR provisions 鈥 including Article 17 (protecting the right to privacy) and Article 19 (protecting the right to seek information) 鈥 would have as applied to data privacy.
Supporting the drive for a new protocol would seem to be the most politically palatable option for US policymakers in the near term, but there is an argument to be made that these options are not mutually exclusive 鈥 negotiations could begin on a new international privacy treaty in tandem with mutually reinforcing work on a new Protocol to Article 17.
US engagement in any of these options beyond Safe Harbor would send a powerful message to the world that would help rebuild trust in both the US government and the US tech sector 鈥 providing聽businesses with greater certainty, and helping to narrow the聽widening transatlantic rift聽over data.
Scott Shackelford serves on the faculty of Indiana University where he teaches cybersecurity law and policy. Follow him on Twitter聽.听
